id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux
15808 "CSRF token cookie does not utilize the ""Secure"" or ""HttpOnly"" flag" Samuel.Lavitt@… nobody "I have observed that the CSRF token will not utilize the Secure or HttpOnly flags, even when the django is configured to protect session cookies using them. I would personally consider the lack of these flags a bug, as it could result in disclosure of the token value to an attacker, which would then allow them to preform CSRF attacks which would otherwise be prevented.
Because of the nature of the CSRF protection, I feel that having, at a minimum, the ability to configure the Secure flag should be included, and possibly a default setting, I understand that jquery and javascript may have need to access the token for submission of data, so HttpOnly as a default may not work in many environments." Bug closed CSRF 1.3 Normal fixed CSRF Secure HttpOnly Accepted 1 0 0 1 0 0